From f86c0349f3c0612b59f995794dbcadfe41fa6c77 Mon Sep 17 00:00:00 2001 From: Evan Gibler <20933572+egibs@users.noreply.github.com> Date: Sun, 9 Jun 2024 21:00:56 -0500 Subject: [PATCH 1/6] Create release instead of Tag; other fixes Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> --- .github/workflows/{tag.yaml => release.yaml} | 26 ++++++++------------ .github/workflows/version.yaml | 5 ++++ 2 files changed, 15 insertions(+), 16 deletions(-) rename .github/workflows/{tag.yaml => release.yaml} (52%) diff --git a/.github/workflows/tag.yaml b/.github/workflows/release.yaml similarity index 52% rename from .github/workflows/tag.yaml rename to .github/workflows/release.yaml index bdb002e8b..9c01522ba 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/release.yaml @@ -1,9 +1,7 @@ -name: Tag Release +name: Cut Release on: - push: - branches: - - main + workflow_dispatch: permissions: id-token: write @@ -26,18 +24,14 @@ jobs: run: | VERSION=$(awk -F'"' '/ID string =/ {print $2}' ${{ env.VERSION_FILE }}) echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" - - name: Create Tag + - name: Create Release + env: + GH_TOKEN: ${{ github.token }} if: ${{ steps.get-version.outputs.VERSION != '' }} run: | VERSION=${{ steps.get-version.outputs.VERSION }} - if [ $(git tag -l "$VERSION") ]; then - echo "Tag already exists for version $VERSION" - exit 0 - else - git config --global tag.gpgsign true - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git tag $VERSION - git push origin tag $VERSION - gitsign verify $(git rev-list --tags --max-count=1) --certificate-identity-regexp="https://github.com/${{ github.repository }}" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" - fi + git config --global tag.gpgsign true + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + gh release create "$VERSION" --title "$VERSION" --notes "Release $VERSION" --draft + gitsign verify $(git rev-list --tags --max-count=1) --certificate-identity-regexp="https://github.com/${{ github.repository }}" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml index c2597f7f9..038a171ca 100644 --- a/.github/workflows/version.yaml +++ b/.github/workflows/version.yaml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8 - name: Update Version + id: update run: | UPDATE_TYPE=${{ github.event.inputs.update }} @@ -52,10 +53,12 @@ jobs: echo "New bincapz version: $VERSION" sed -i -e "s/ID string = \"v[0-9]*\.[0-9]*\.[0-9]*\"/ID string = \"v$VERSION\"/" ${{ env.VERSION_FILE }} + echo "VERSION=$VERSION" >> $GITHUB_OUTPUT - name: Commit Version Update run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + VERSION=${{ steps.update.outputs.VERSION }} BRANCH="bincapz-version-bump-$VERSION" git checkout -b $BRANCH git add ${{ env.VERSION_FILE }} @@ -63,5 +66,7 @@ jobs: git push origin $BRANCH gitsign verify $(git rev-parse HEAD) --certificate-identity-regexp="https://github.com/${{ github.repository }}" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" - name: Create Pull Request + env: + GH_TOKEN: ${{ github.token }} run: | gh pr create -t "Update bincapz to $VERSION" -b "PR to update the version in ${{ env.VERSION_FILE }} to $VERSION" -B main From 2bb109e8d9bba39209637f9d0b0e654dfd629da2 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 10 Jun 2024 07:09:40 -0500 Subject: [PATCH 2/6] Automatically generate release notes Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9c01522ba..d2585f59d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -33,5 +33,5 @@ jobs: git config --global tag.gpgsign true git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - gh release create "$VERSION" --title "$VERSION" --notes "Release $VERSION" --draft + gh release create "$VERSION" --title "$VERSION" --notes "Release $VERSION" --draft --generate-notes gitsign verify $(git rev-list --tags --max-count=1) --certificate-identity-regexp="https://github.com/${{ github.repository }}" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" From a85fb8913a857e0733ff16dd9b8a75cf27c1721c Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 10 Jun 2024 07:15:21 -0500 Subject: [PATCH 3/6] Update certificate-identity-regexp Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- .github/workflows/version.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d2585f59d..15dcc3b93 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -34,4 +34,4 @@ jobs: git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" gh release create "$VERSION" --title "$VERSION" --notes "Release $VERSION" --draft --generate-notes - gitsign verify $(git rev-list --tags --max-count=1) --certificate-identity-regexp="https://github.com/${{ github.repository }}" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" + gitsign verify $(git rev-list --tags --max-count=1) --certificate-identity-regexp="https://github.com/${{ github.repository }}/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml index 038a171ca..0eb6ab1d8 100644 --- a/.github/workflows/version.yaml +++ b/.github/workflows/version.yaml @@ -64,7 +64,7 @@ jobs: git add ${{ env.VERSION_FILE }} git commit -m "Bump bincapz version to v$VERSION" git push origin $BRANCH - gitsign verify $(git rev-parse HEAD) --certificate-identity-regexp="https://github.com/${{ github.repository }}" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" + gitsign verify $(git rev-parse HEAD) --certificate-identity-regexp="https://github.com/${{ github.repository }}/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" - name: Create Pull Request env: GH_TOKEN: ${{ github.token }} From 624c94b3564b4be98fbcfd450e55dfed1c71d09c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 12:36:24 +0000 Subject: [PATCH 4/6] Bump the all group with 2 updates (#259) Bumps the all group with 2 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner) and [reviewdog/action-misspell](https://github.com/reviewdog/action-misspell). Updates `step-security/harden-runner` from 2.8.0 to 2.8.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/f086349bfa2bd1361f7909c78558e816508cdc10...17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6) Updates `reviewdog/action-misspell` from 1.17.0 to 1.19.0 - [Release notes](https://github.com/reviewdog/action-misspell/releases) - [Commits](https://github.com/reviewdog/action-misspell/compare/5bd7be2fc7ae56a517184f5c4bbcf2fd7afe3927...8cd4a880dd86b1b175092c18c23cdec31283d654) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: reviewdog/action-misspell dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/go-tests.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/style.yaml | 2 +- .github/workflows/version.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml index 7ad4ffd01..b11d39599 100644 --- a/.github/workflows/go-tests.yaml +++ b/.github/workflows/go-tests.yaml @@ -19,7 +19,7 @@ jobs: contents: read steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 15dcc3b93..73300129b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,7 +14,7 @@ jobs: tag: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 with: egress-policy: audit - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml index df9ebdb77..8fdab47b7 100644 --- a/.github/workflows/style.yaml +++ b/.github/workflows/style.yaml @@ -87,7 +87,7 @@ jobs: go-version-file: go.mod check-latest: true - - uses: reviewdog/action-misspell@5bd7be2fc7ae56a517184f5c4bbcf2fd7afe3927 # v1.17.0 + - uses: reviewdog/action-misspell@8cd4a880dd86b1b175092c18c23cdec31283d654 # v1.19.0 if: ${{ always() }} with: github_token: ${{ secrets.github_token }} diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml index 0eb6ab1d8..a041f4c1a 100644 --- a/.github/workflows/version.yaml +++ b/.github/workflows/version.yaml @@ -19,7 +19,7 @@ jobs: version: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 with: egress-policy: audit - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 From 3d44a1e47cbc4dc1fe37247f374ac28bf79d6a20 Mon Sep 17 00:00:00 2001 From: Evan Gibler <20933572+egibs@users.noreply.github.com> Date: Sun, 9 Jun 2024 21:00:56 -0500 Subject: [PATCH 5/6] Create release instead of Tag; other fixes Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 73300129b..15dcc3b93 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,7 +14,7 @@ jobs: tag: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 with: egress-policy: audit - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 From b999393bdb78c163599363c7d0365fc5cb8eb0d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 12:36:24 +0000 Subject: [PATCH 6/6] Bump the all group with 2 updates (#259) Bumps the all group with 2 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner) and [reviewdog/action-misspell](https://github.com/reviewdog/action-misspell). Updates `step-security/harden-runner` from 2.8.0 to 2.8.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/f086349bfa2bd1361f7909c78558e816508cdc10...17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6) Updates `reviewdog/action-misspell` from 1.17.0 to 1.19.0 - [Release notes](https://github.com/reviewdog/action-misspell/releases) - [Commits](https://github.com/reviewdog/action-misspell/compare/5bd7be2fc7ae56a517184f5c4bbcf2fd7afe3927...8cd4a880dd86b1b175092c18c23cdec31283d654) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: reviewdog/action-misspell dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 15dcc3b93..73300129b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,7 +14,7 @@ jobs: tag: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 with: egress-policy: audit - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29